
GoDaddy, the world’s largest seller of internet domain names, is sounding the alarm over a series of directives handed down by an Indian court, arguing that rules meant to combat fraudulent websites could actually make the internet more dangerous for law-abiding businesses and have consequences that stretch well beyond India’s borders.
Online fraud has become a mounting crisis in India, the world’s most populous country, as smartphone and internet usage has surged. Prime Minister Narendra Modi’s government received 2.4 million complaints of alleged cyber fraud last year alone, with losses totaling $2.4 billion.
The legal battle traces back to 2019, when more than 20 major Indian and international companies — including Amazon, McDonald’s, Microsoft, Xiaomi, and Colgate-Palmolive — filed lawsuits seeking court action against websites fraudulently using their names. Amazon targeted fake shopping sites, while McDonald’s went after bogus pages selling phony franchise opportunities. In December, a New Delhi judge ordered more than 1,100 such sites to be shut down.
But that same judge went further, issuing a set of sweeping additional measures that tech experts say have fundamentally altered how internet governance works. Among the directives: domain registrars must stop offering privacy protection to buyers at no cost by default, the personal details of website registrants must be handed over to anyone with a “legitimate interest” within 72 hours, and domain names that resemble protected brand names must be blocked from registration.
GoDaddy, which is based in the United States, has filed a challenge against those directives before a larger panel of judges at the Delhi High Court, according to a Reuters review of non-public court documents. The company argues that removing default privacy protections would expose the names, addresses, phone numbers, and email addresses of legitimate website owners to the public, creating what it described as “foreseeable privacy and security risks” including stalking and harassment.
Because domain names function on a global scale rather than within any single country, GoDaddy also warned that the court’s order could effectively require the company to regulate website addresses around the world. On the 72-hour disclosure requirement, GoDaddy contends it has no reliable way to determine who qualifies as having a “legitimate interest” in obtaining someone’s registration information.
One of GoDaddy’s appeal documents — spanning 5,121 pages — cautioned that the “commercially destabilising” nature of the directives could push domain name companies to “exit India” altogether. Neither the Indian government nor GoDaddy responded to requests for comment from Reuters.
GoDaddy is a major player in the industry, generating $5 billion in annual revenue, managing 80 million domain names, and serving more than 20 million users. Company executives stated in 2024 that India represented its largest market in the emerging market category. Two of GoDaddy’s competitors — Arizona-based Namecheap and Netherlands-based Hosting Concepts — have also challenged the New Delhi ruling, though the specifics of their appeals could not be confirmed. Neither company responded to Reuters’ questions.
The December ruling characterized the fraudulent websites as “engines for large scale deception.” Among the 14 measures outlined by the court, one specified that hiding a domain buyer’s registration details should only be available as a paid service, since the feature acts “as a cloak” that shields the identities of bad actors.
Despite the court order still being in effect, GoDaddy’s website continues to advertise “free privacy protection forever,” stating that it conceals users’ names, addresses, phone numbers, and email addresses from public directories. GoDaddy argues that stripping away default privacy protections would conflict with India’s own data protection law as well as the European Union’s GDPR regulation, both of which require a “privacy by default” approach.
Farzaneh Badii, a New York-based researcher who studies internet governance, was critical of the New Delhi ruling. She pointed out that European regulators moved to hide such personal details precisely because making them public had been exploited for harassment and targeted phishing attacks. “The people exposed will be journalists, activists, small business owners, and private individuals. The brand impersonators will not,” she said.
India’s Home Minister, Amit Shah, stated this year that a person falls victim to cybercrime every 37 seconds in the country, warning that inaction could allow the problem to become a “national crisis.” Although the sweeping December directives came from a court, documents show they were shaped by submissions from the government. An unreported 59-page document from India’s IT ministry, dated 2023 and included in GoDaddy’s appeal filings, revealed that the government told the judge it was troubled by “domain name abuse” and “lack of stringent verification.” The home ministry separately urged the court to make registration details “readily available” for use in criminal investigations.
That position is consistent with Modi’s government’s track record of confrontations with global technology companies. New Delhi has repeatedly criticized firms such as Meta, X, Google, and Telegram for allegedly failing to adequately police content it views as contrary to national interests, and has taken some of those companies to court.
In the McDonald’s case, the company sought action against 110 websites — such as mcdonaldsfranchiseindia.com — some of which displayed the chain’s Golden Arches logo and sold counterfeit franchise opportunities for “huge sums of money.” After those sites were blocked, GoDaddy raised objections to the court’s additional requirement that alphanumeric variations of a protected trademark be prohibited from registration. GoDaddy called such bans “blanket injunctions” that would be nearly impossible to enforce.
The company noted that the name “McDonald” has Scottish origins, derived from a phrase meaning “son of the world ruler,” and argued that blocking all variations of it would effectively “confer a monopoly” over a common name with deep linguistic and historical roots. Reuters found that domains such as mcdonalds-india-franchise.com were still available for purchase on GoDaddy’s India platform for approximately $10.
GoDaddy also submitted research drawn from the Merriam-Webster website to illustrate how protecting variations of a trademark like “HUL” — the Indian subsidiary of Unilever — could interfere with 118 English words that contain those letters, including “hulk” and “moghul.” The company concluded that it is “virtually impossible to register a domain name containing an English word that does not overlap with a registered trademark.”
The appeals are scheduled to be heard by the judges on July 16.








